Implementing anti-abuse techniques on ISP networks....
Christopher Masto
chris at netmonger.net
Thu Aug 7 15:27:31 UTC 1997
On Wed, Aug 06, 1997 at 04:00:14PM -0700, J.D. Falk wrote:
> > I don't know about the "huge players", but we're an Internet Service
> > Provider, not an Internet Blockage Provider. We don't allow spoofing,
> > and we don't allow relaying, but we're not about to put filters
> > to prevent dialup customers from connecting wherever they want.
>
> How 'bout to stop them from connection wherever they want,
> spoofing their IP address so it looks like it's your box at
> home that's hacking into the NSA instead of them?
>
> This is an extreme example, but hopefully it illustrates the
> reason that a little simple filtering is a Good Thing[TM].
In as much as filtering each dial-up port to only allow packets from
its own source address is an operational issue.. :-) I said "we don't
allow spoofing".
Operational question: will a Livingston Portmaster allow source IP
spoofing? That is, if you have been given an address of x, can you
send a packet from y? If the answer is "yes" (and I can think of a
reason or two why it should be), and given the current implementation
of RADIUS and its method of supplying filter rules, one immediate
solution comes to mind. Set up a filter rule for every possible IP
address that may be assigned, and have the RADIUS server supply the
rule that goes with the Framed-IP-Address. Hmmm.
--
= Christopher Masto = chris at netmonger.net = http://www.netmonger.net/ =
= NetMonger Communications = finger for PGP key = $19.95/mo unlimited access =
= Director of Operations = (516) 221-6664 = mailto:info at netmonger.net =
v---(cut here)---v
--
yourname at some.dumb.host.com
"Keep in mind that anything Kibo says makes a great sig." -- Kibo
^---(cut here)---^
More information about the NANOG
mailing list